All Tech Considered

2:19 pm

Tue April 8, 2014

The Security Bug That Affects Most Of The Internet, Explained

A screen grab from a Heartbleed test Tuesday morning showed Yahoo was vulnerable. The company has since fixed the vulnerability.

filippo.io/Heartbleed screengrab

Editor's Note: A very serious bug with a scary name, Heartbleed, was discovered and disclosed this week. The bug affects OpenSSL, a popular cryptographic library that is used to secure a huge chunk of the Internet's traffic. Even if you have never heard of OpenSSL, chances are, it's helped secure your data in some way. So I asked one of our trusted developers, and a nut for net security, Jeremy Bowers, to explain why Heartbleed's such a concern. — Elise Hu

What's the problem?

You trust your banking or Web mail sites to protect your communications when you see the little lock icon in your Web browser. This is why you're OK with typing passwords into Hotmail or your credit card numbers into Amazon.

A popular piece of software called OpenSSL is used by Internet companies to provide this kind of security. On March 14, 2012, someone introduced a bug that would allow an attacker to get the "crown jewels," the encryption keys used to protect your communications directly from the companies themselves.

With those keys, an attacker could eavesdrop on your communications with that company and/or impersonate that company, making it possible for them to harvest things like credit card numbers or passwords with relative ease.

"As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."

Yahoo didn't immediately offer advice to users about what they should do or what the effect on them is.

Why is this so devastating?

It's devastating for several reasons.

First, OpenSSL is used very broadly, from big companies like Yahoo to small companies and mom-and-pop shops with shopping carts provided by a vendor. And it's hard for you to tell who's affected or when they've fixed it because companies don't broadcast which versions of OpenSSL they're running to people like you and me.

Second, in order to fix the bug and guarantee secure communications with you, each company has to update OpenSSL on every Internet-facing computer that they own. Worse, they also ought to revoke their SSL certificates — the "crown jewels" mentioned above — and generate new ones, based on the assumption that they could have been stolen at any point since March of 2012. This process could take a company days or even weeks to do.

Finally, since the bug in OpenSSL has existed since March 14, 2012, there are more than two years of your communications that could have been intercepted by an attacker. Anything you've done — shopping at online stores, logging into your bank or your Web mail — could possibly have been compromised in the past. Because of the nature of the attack, you wouldn't know anything about it.

What can I do about it?

Sadly, you're at the mercy of the individual Internet companies to get their software patched and their SSL keys revoked and regenerated. Once you feel certain this has been done at a particular company, you really ought to change your password, since this could easily have been fished out of your communications at any point in the last two years.

Additionally, it would be best to avoid things like shared Wi-Fi networks whenever possible as well, since attackers have their best access to your communications when you're sharing a network with them.

But generally, the burden is on Internet companies and not you. That's what makes this so frustrating.

Jeremy Bowers is a software developer on NPR's Visuals team. Reach him by email or on Twitter.